This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Johan_Rudberg
Contributor
‎2018-09-06 12:12 AM

Lan2Lan vpn Checkpoint R80.10 <-> Ingate FW

Hello

Does someone have experience with lan2lan vpn between checkpoint and ingate firewalls? We have a problem that every 1 hour the vpn tunnel goes down with the error in the checkpoint log like: Reject IKE failure no response from peer.

We have checked in both ends that the subnets we send through the tunnel are correct and they match, same as for all the IKE and IPSEC settings like SA lifetime they also match on both ends, that is SA in Phase 1 and 2 is 1 hour.

Permanent tunnel is also enabled on the checkpoint side with no improvement.

5 Replies
_Val_
Admin
Admin
‎2018-09-06 12:30 AM

How do you authenticate? With Certificates or pre-shared secret? Regular Phase 1 failure usually means CLR is unreachable when VPN is up. Renegotiation fails, tunnel goes down, CLR is reachable again, tunnel goes back up for an hour. 

0 Kudos
Johan_Rudberg
Contributor
‎2018-09-06 12:35 AM
In response to _Val_

We have pre shared secret and they also match on both ends. Tunnel goes up and after 1 hour it goes down again with errors then it goes up and so forrth.

0 Kudos
_Val_
Admin
Admin
‎2018-09-06 12:39 AM
In response to Johan_Rudberg

Now, that should not happen. If checkpoint says "no response from peer", you need to look on Ingate side. However, I still think it makes sense to run vpn debug on CP side to see which part of Phase 1 is failing. 

0 Kudos
Johan_Rudberg
Contributor
‎2018-09-06 06:15 AM
In response to _Val_

Is it safe to turn on debug in a production env? our customer says that the vpn dies once every hour, it sounds like ike/ipsec key negotiations fails for some reason.

0 Kudos
_Val_
Admin
Admin
‎2018-09-06 06:36 AM
In response to Johan_Rudberg

vpn debug is safe. Essentially, vpnd (the process doing IPSec negotiations) is jsut printing out some additional details into two log files. Nothing in kernel, should not be a problem. 

However, if you are not comfortable with it, open a support case so out TAC engineer could assist you

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events